Why Our Cyber Worries, Post-WannaCry, Have Only Just Begun

Aftershocks of the landmark WannaCry ransomware attack continue to reverberate across the cybersecurity landscape.

WannaCry was made possible because the Shadow Brokers hacking collective stole dozens of the National Security Agency's ace-in-the-hole hacking tools. After a brief time attempting to sell these cyber weapons piecemeal in the cyber underground - and evidently getting no takers - Shadow Brokers, in an apparent fit of frustration, publicly released them.

Two of the NSA's stolen cyber weapons - codenamed EternalBlue and DoublePulsar - then very quickly became the basis for the creation of WannaCry, which spread, in a matter of days, into government, infrastructure and business networks in 150 countries.

Stealthier attacks

It's clear now that WannaCry was the proverbial tip of the iceberg. Cyber forensics firm Stroz Friedberg has tallied some 69 NSA cyber weapons released by Shadow Brokers. And these were freebies.

Doubtless, top for-profit cybercrime rings will recognize they have been handed a golden opportunity, and will most assuredly pour resources into figuring out how to leverage these free, military-grade cyber weapons in much stealthier ways than the somewhat clumsy release of WannaCry.

The initial version of WannaCry proved easy enough to thwart. More robust self-spreading variants almost immediately followed. "WannaCry was noisy and destructive," observes Mounir Hadad, senior director of Cyphort Labs. "It has made us aware of the number of systems that are vulnerable to exploits, whether they be disclosed or undisclosed."

Within a week of WannaCry's release, researchers at Cyphort Labs flushed out a variant with the self-spreading feature and ransomware instructions stripped out. Instead, someone crafted this particular variant to take root in the targeted network, stay put and standby to function as of a Remote Access Tool, or RAT. RATs are terrific at screen and keyboard monitoring, audio and video surveillance, file downloads, file transfers and more.

In roughly the same time frame, an all-new species of self-spreading worm, dubbed EternalRocks, aka MicroBotMassiveNet, (You just have to love these names!) was discovered by a Croation government IT advisor named Miroslav Stampar. The self-spreader Stampar found functions by combining not one, not two, but.....wait for it.... a total of seven NSA cyber weapons.

Weapons subscription

EternalRocks doesn't encrypt drives, nor does it demand a ransom. What it does is spread voraciously. I agree with those who argue that EternalRocks appears to be intended as a launchpad for future attacks leveraging more of the NSA's cyber weapons.

"It is clear that tools and techniques previously reserved for use by nation states are being integrated into crimeware for profit," says Josh Gomez, senior security researcher at Anomali. "We can expect to see more of these exploits and tools leveraged in future attacks, each one likely surpassing the previous in sophistication and stealth."

It's impossible to know just how many other attack campaigns leveraging the NSA's weapons are in development or are already out circulating in the Internet wild. We're likely only hearing about a small portion.

Meanwhile, Shadow Brokers recently threatened to throw kerosene on these open flames. On May 30, the collective announced that it is sitting on a cache of other military-grade cyber weapons designed to hack into web browsers, routers and even Windows 10, Microsoft's newest, most protected computer operating system.

The catch: Shadow Brokers says it plans to release these exploits a handful at a time on a monthly basis to customers willing to pay a monthly subscription fee of $22,000. This pitch is being viewed somewhat skeptically in the security community, since Shadow Brokers has not shown any proof - yet - that it actually has these tools to sell.

Lessons to learn

Hadad, at Cyphort Labs, says he believes leaders of the collective must still be frustrated and may be experimenting with business models. "They have tried an auction sale, a direct sale and now a subscription model," Hahad says. "None of the past models has generated any revenue for them."

Twenty-two grand for access to cutting-edge cyber weapons is a sweet deal. The danger, assuming Shadow Brokers actually has the weapons to sell, is that the bargain price could put decidedly dangerous hacking tools in the hands of a very bad crowd. "Some not-so-well funded foreign governments may dip their toes in," predicts Hadad.

These cyber weapons all take advantage of software coding flaws. So the moral of the story for organizations of all sizes is clear: install all security patches for known flaws as soon as feasible.

WannaCry also drives home why it is way beyond midnight for all public and private sector organizations to back up important data bases and applications -- often and comprehensively -- as well as have a viable breach response plan in place. Procrastination only boosts the odds that your organization will get caught in the next pervasive, high profile attack. And make no mistake, it is coming.